\u6211\u5f00\u59cb\u5b66\u4e60\u6709\u5173Kubernetes\u5b89\u5168\u6027\u7684\u5185\u5bb9\uff0c\u4e86\u89e3\u5230\u4e86CIS\u57fa\u51c6\u6d4b\u8bd5\u3002
\n\u8fd9\u662f\u7531\u4e92\u8054\u7f51\u5b89\u5168\u4e2d\u5fc3\u53d1\u5e03\u7684\u5404\u79cd\u8f6f\u4ef6\u548c\u5e73\u53f0\u7684\u5f3a\u5316\u6307\u5357\u3002
\n\u9664\u4e86Kubernetes\u7684CIS\u57fa\u51c6\u6d4b\u8bd5\u4e4b\u5916\uff0c\u8fd8\u6709\u5176\u4ed6\u5404\u79cd\u64cd\u4f5c\u7cfb\u7edf\u7684\u6307\u5357\u3002
\n\u6211\u603b\u7ed3\u4e86\u5173\u4e8e\u8fd9\u4e9b\u5185\u5bb9\u7684\u786e\u8ba4\u7ed3\u679c\u3002<\/p>\n
\u622a\u81f32021\u5e742\u6708\uff0c\u53ef\u83b7\u5f97\u7684Kubernetes CIS\u57fa\u51c6\u7248\u672c\u4e3av1.6.0\uff08\u4e8e2020\u5e747\u670823\u65e5\u53d1\u5e03\uff0c\u9002\u7528\u4e8eKubernetes 1.16-1.18\uff09\uff0cPDF\u6587\u4ef6\u5927\u7ea6\u6709270\u9875\uff0c\u8981\u5168\u90e8\u9605\u8bfb\u786e\u5b9e\u5f88\u56f0\u96be\u3002\u5b9e\u9645\u4e0a\uff0c\u5404\u4e2a\u5b89\u5168\u9879\u76ee\u90fd\u4ee5\u6982\u8ff0\u3001\u914d\u7f6e\u786e\u8ba4\u65b9\u6cd5\u3001\u914d\u7f6e\u65b9\u6cd5\u3001\u5f71\u54cd\u3001\u9ed8\u8ba4\u503c\u3001\u53c2\u8003\u4fe1\u606f\u7b49\u5f62\u5f0f\u8fdb\u884c\u603b\u7ed3\uff0c\u6240\u4ee5\u5e76\u4e0d\u662f\u5f88\u96be\u7406\u89e3\u3002\u5373\u4f7f\u53ea\u770b\u76ee\u5f55\uff0c\u4e5f\u80fd\u4e86\u89e3\u6982\u8981\uff0c\u5982\u679c\u611f\u5174\u8da3\u7684\u8bdd\uff0c\u53ef\u4ee5\u770b\u4e00\u770b\u3002<\/p>\n
\u4f5c\u4e3a\u4e00\u4e2a\u91cd\u8981\u7684\u57fa\u51c6\uff0c\u5b83\u7684\u4e3b\u8981\u6784\u6210\u5982\u4e0b\u3002<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
\u4e3a\u4e86\u9010\u4e2a\u786e\u8ba4\u8fd9\u4e9b\u4e8b\u9879\uff0c\u9700\u8981\u76f8\u5f53\u5927\u7684\u5de5\u4f5c\u91cf\uff0c\u4f46\u662f\u6709\u4e00\u4e2a\u540d\u4e3a kube-bench \u7684\u5de5\u5177\u53ef\u4ee5\u81ea\u52a8\u68c0\u67e5\u3002
\n\u8fd0\u884c kube-bench \u53ef\u4ee5\u6839\u636e CIS Kubernetes Benchmark \u6765\u786e\u8ba4\u5404\u79cd\u914d\u7f6e\u7684\u60c5\u51b5\u3002
\n\u672c\u6587\u5c06\u5c1d\u8bd5\u4f7f\u7528 kube-bench \u68c0\u67e5\u5728\u6ca1\u6709\u8003\u8651\u5b89\u5168\u6027\u7684\u60c5\u51b5\u4e0b\u521b\u5efa\u7684\u5bb6\u5ead Kubernetes \u73af\u5883\u3002\uff08\u8bf7\u6ce8\u610f\uff0c\u4ec5\u4ec5\u662f\u8fd0\u884c\u5de5\u5177\u5e76\u4e0d\u5305\u542b\u7ed3\u679c\u7684\u5b89\u5168\u589e\u5f3a\u65b9\u6cd5\u3002\u6ca1\u505a\u6700\u91cd\u8981\u7684\u4e00\u6b65… \u6211\u4eec\u8ba1\u5212\u9010\u6b65\u5b66\u4e60\u5e76\u8fdb\u884c\u76f8\u5e94\u6539\u8fdb\u3002\uff09<\/p>\n
\u5728 kube-bench \u7684 Readme.md \u4e2d\uff0c\u5217\u4e3e\u4e86\u4e00\u4e9b\u6ce8\u610f\u4e8b\u9879\uff1a
\n– kube-bench \u7684\u68c0\u67e5\u5185\u5bb9\u5e76\u4e0d\u5b8c\u5168\u5bf9\u5e94 CIS \u57fa\u51c6\u6d4b\u8bd5
\n– \u65e0\u6cd5\u5bf9 Kubernetes \u6258\u7ba1\u670d\u52a1\uff08\u5982 GKE\uff09\u7684\u63a7\u5236\u5e73\u9762\u8fdb\u884c\u68c0\u67e5\u3002<\/p>\n
\u867d\u7136\u6709\u70b9\u79bb\u9898\uff0c\u4f46\u636e\u770b\u8d77\u6765\u5404\u4e2a\u4e91\u670d\u52a1\u63d0\u4f9b\u5546\u90fd\u5728\u5bf9\u6258\u7ba1\u670d\u52a1\u4e2d\u7684\u201c\u6258\u7ba1\u201d\u90e8\u5206\u8fdb\u884c\u5b89\u5168\u68c0\u67e5\uff0c\u6240\u4ee5\u901a\u5e38\u60c5\u51b5\u4e0b\u6211\u4eec\u4e0d\u9700\u8981\u7279\u522b\u5173\u6ce8\u8fd9\u4e2a\u95ee\u9898\u3002
\n\u53e6\u5916\uff0c\u5173\u4e8e\u516c\u5f00\u4e86CIS\u57fa\u51c6\u7684\u5404\u4e2a\u4e91\u670d\u52a1\u63d0\u4f9b\u5546\uff0c\u6709\u8bb8\u591a\u9879\u76ee\u88ab\u5224\u5b9a\u4e3a\u201c\u4e0d\u5408\u683c\u201d\uff0c\u4f46\u6211\u4eec\u5fc5\u987b\u610f\u8bc6\u5230\u201c\u4e0d\u5408\u683c\u201d\u5e76\u4e0d\u610f\u5473\u7740\u5b8c\u5168\u4e0d\u53ef\u884c\u3002\u8fd9\u53ef\u80fd\u662f\u56e0\u4e3a\u6240\u8bbe\u60f3\u7684\u67b6\u6784\u4e0d\u540c\u7b49\u539f\u56e0\u5bfc\u81f4\u7684\u3002<\/p>\n
\u6709\u4e9b\u4e91\u5e73\u53f0\u5e76\u4e0d\u8fdb\u884cCIS\u57fa\u51c6\u8bc4\u4f30\u3002\u4f8b\u5982\uff0c\u5173\u4e8eAmazon EKS\uff0c\u57282020\u5e747\u670811\u65e5\u7684\u535a\u5ba2\u4e2d\u63d0\u5230\u4e86\u4ee5\u4e0b\u5185\u5bb9\u3002\uff08\u4f46\u662f\uff0ckube-bench\u6709\u9488\u5bf9EKS\u7684\u6a21\u5757\u53ef\u7528\uff09\u3002<\/p>\n
\u4e2d\u56fd\u56fd\u5bb6\u4e92\u8054\u7f51\u5b89\u5168\u4e2d\u5fc3\uff08CIS\uff09Kubernetes\u57fa\u51c6\u63d0\u4f9b\u4e86\u826f\u597d\u7684\u5b9e\u8df5\u6307\u5357\uff0c\u7528\u4e8e\u81ea\u7ba1\u7406\u7684Kubernetes\u96c6\u7fa4\u7684\u5b89\u5168\u8bbe\u7f6e\u3002\u7136\u800c\uff0c\u5b83\u65e0\u6cd5\u51c6\u786e\u8bc4\u4f30\u7531Amazon EKS\u8fd0\u884c\u7684AWS\u6258\u7ba1Kubernetes\u96c6\u7fa4\u7684\u5b89\u5168\u8bbe\u7f6e\u72b6\u6001\u3002<\/p><\/blockquote>\n
\u6211\u4f1a\u5728\u201c\u53c2\u8003\u201d\u90e8\u5206\u5217\u51fa\u5176\u4ed6\u5404\u79cd\u6258\u7ba1\u4e91\u7684CIS\u57fa\u51c6\u6d4b\u8bd5\u7ed3\u679c\u3002<\/p>\n
\u73af\u5883<\/h1>\n
\u597d\u5427\uff0c\u6682\u4e14\u4e0d\u8c08\u6258\u7ba1\u670d\u52a1\u7684\u4e8b\u60c5\uff0c\u5bb6\u91cc\u7684Kubernetes\u73af\u5883\u7684\u914d\u7f6e\u5982\u4e0b\u3002
\n\u5728\u5bb6\u91cc\u7684Kubernetes\u73af\u5883\u4e2d\uff0c\u6211\u4eec\u5728\u7b14\u8bb0\u672c\u7535\u8111\u4e0a\u5b89\u88c5\u4e86CentOS\u5e76\u51c6\u5907\u4e86KVM\u73af\u5883\uff0c\u7136\u540e\u5728\u5176\u4e0a\u914d\u7f6e\u4e86Kubernetes\u7684\u5404\u4e2a\u8282\u70b9\u4f5c\u4e3a\u865a\u62df\u673a\u3002<\/p>\n\n
- \n
KVM \u30db\u30b9\u30c8<\/ul>\n<\/li>\n<\/ul>\n
CentOS Linux release 8.2.2004 (Core)<\/p>\n
Master \/ Node ( 1 Master \/ 3 Worker \u69cb\u6210 )<\/p>\n
Ubuntu 20.04.1 LTS
\ncontainerd 1.4.3-1
\ncalico 3.11
\nkubernetes 1.20.1<\/p>\n\u6b64\u5916\uff0c\u7531\u4e8e\u5bb6\u5ead\u5c40\u57df\u7f51\u4e0a\u7684 Kubernetes \u96c6\u7fa4\u4ec5\u7528\u4e8e\u5b66\u4e60\u76ee\u7684\uff0c\u56e0\u6b64\u672a\u8003\u8651\u5b89\u5168\u6027\u95ee\u9898\u3002\u63a7\u5236\u5668\u548c\u8282\u70b9\u5747\u5904\u4e8e\u9ed8\u8ba4\u5b89\u5168\u72b6\u6001\u3002<\/p>\n
\u5728\u69cb\u5efa Kubernetes \u96c6\u7fa4\u65b9\u9762\uff0c\u6211\u5011\u4f7f\u7528\u4e86 kubernetes docs \u4e2d kubeadm \u4f7f\u7528\u6a21\u5f0f\uff0c\u4e26\u4e14\u4f7f\u7528 Containerd \u4f5c\u70ba\u5bb9\u5668\u4f7f\u7528\u7684\u5de5\u5177\u3002
\n\uff08\u203b \u6839\u64da CIS Kubernetes Benchmark\uff0c\u4f3c\u4e4e\u4e26\u672a\u6aa2\u67e5\u5230\u5bb9\u5668\u90e8\u5206\uff09
\n\u6839\u64da CIS \u57fa\u6e96\uff0c\u4f3c\u4e4e\u50c5\u9069\u7528\u65bc Kubernetes 1.18 \u4ee5\u524d\u7684\u7248\u672c\uff0c\u4f46\u6211\u5011\u8a8d\u70ba\u5728\u9019\u500b\u74b0\u5883\u4e0b\u4e5f\u53ef\u4ee5\u61c9\u7528\u8a31\u591a\u90e8\u5206\uff0c\u56e0\u6b64\u6703\u8a66\u8457\u78ba\u8a8d\u4e00\u4e0b\u3002<\/p>\n\u5e94\u7528kube-bench<\/h1>\n
\u5728 kube-bench \u7684 Readme.md \u6587\u4ef6\u4e2d\uff0c\u4ecb\u7ecd\u4e86\u4ee5\u4e0b4\u79cd\u5bfc\u5165\u65b9\u6cd5\u3002<\/p>\n
\n
- \n
\u30b3\u30f3\u30c6\u30ca\u5185\u304b\u3089\u5b9f\u884c<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\n
- \n
kube-bench \u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30b3\u30f3\u30c6\u30ca\u3092\u5b9f\u884c\u3057\u30db\u30b9\u30c8\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\n
- \n
\u30d0\u30a4\u30ca\u30ea\u3001\u30b3\u30f3\u30d5\u30a3\u30b0\u3001\u30c6\u30b9\u30c8\u95a2\u9023\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\u30bd\u30fc\u30b9\u304b\u3089\u306e\u30b3\u30f3\u30d1\u30a4\u30eb<\/ul>\n
\u6211\u60f3\u5c1d\u8bd5\u4e00\u4e0b\u770b\u8d77\u6765\u6700\u7b80\u4fbf\u7684\u65b9\u6cd5\uff0c\u5373\u201c\u4ece\u5bb9\u5668\u5185\u90e8\u6267\u884c\u201d\u3002
\n\uff08\u5b9e\u9645\u4e0a\uff0c\u6211\u5728Kubernetes\u4e0a\u4ee5Pod\u7684\u5f62\u5f0f\u8fd0\u884c\u3002\uff09<\/p>\n\u4ece\u5bb9\u5668\u4e2d\u8fd0\u884c kube-bench \u7684\u6982\u8ff0<\/h1>\n
\u6839\u636e Readme.md \u4e2d\u7684 “Running in a kubernetes cluster” \u90e8\u5206\u7684\u6307\u793a\uff0c\u6267\u884c job.yaml \u6587\u4ef6\u3002<\/p>\n
\u6839\u636e\u6211\u7684\u7406\u89e3\uff0c\u5f53\u5728 Redame.md \u4e2d\u8fd0\u884c job.yaml \u6587\u4ef6\u65f6\uff0c\u53ef\u4ee5\u770b\u5230\u4f1a\u5bf9\u4e3b\u8282\u70b9\u548c\u5de5\u4f5c\u8282\u70b9\u8fdb\u884c\u68c0\u67e5\uff0c\u4f46\u5728\u6211\u4eec\u7684\u73af\u5883\u4e2d\uff0c\u53ea\u6709\u8282\u70b9\u9a8c\u8bc1\u88ab\u6267\u884c\u4e86\u3002\u867d\u7136\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528 job-node.yaml \u548c job-master.yaml \u8fdb\u884c\u8282\u70b9\u548c\u4e3b\u8282\u70b9\u7684\u68c0\u67e5\uff0c\u4f46\u5b9e\u9645\u4e0a\u53ea\u80fd\u68c0\u67e5\u5230\u4ee5\u4e0b\u90e8\u5206\uff1a1. \u63a7\u5236\u5e73\u9762\u7ec4\u4ef6\uff0c4. \u5de5\u4f5c\u8282\u70b9\uff0c5. \u7b56\u7565\u3002\u5bf9\u4e8e\u65e0\u6cd5\u68c0\u67e5\u5230 etcd \u548c\u63a7\u5236\u5e73\u9762\u914d\u7f6e\u7684\u539f\u56e0\uff0c\u6211\u8fdb\u884c\u4e86\u591a\u6b21\u5c1d\u8bd5\u3002\u6700\u7ec8\u7684\u7ed3\u8bba\u662f\uff0c\u901a\u8fc7\u57fa\u4e8e master \u7528\u7684 job-master.yaml \u6587\u4ef6\u5e76\u6307\u5b9a kube-bench –version=1.18\uff0c\u6211\u4eec\u53ef\u4ee5\u68c0\u67e5\u5230\u6240\u6709\u9879\u76ee\uff08\u4fee\u8ba2\u5185\u5bb9\u5982\u4e0b\uff09\u3002\u5728\u4f7f\u7528 kube-bench \u65f6\uff0c\u5982\u679c\u4e0d\u6307\u5b9a –version \u9009\u9879\uff0c\u5219\u4f1a\u81ea\u52a8\u5224\u65ad\u7248\u672c\uff0c\u4f46\u6211\u8ba4\u4e3a\u5728 kubernetes 1.20 \u4e0a\u65e0\u6cd5\u6b63\u786e\u5224\u65ad\uff08\u539f\u672c\u4ec5\u9002\u7528\u4e8e 1.16 – 1.18 \u7248\u672c\uff09\u3002<\/p>\n
\u5728 YAML \u4e2d\uff0c\u5927\u81f4\u4e0a\u6709\u4ee5\u4e0b\u914d\u7f6e\u9879\u88ab\u8bbe\u5b9a\u3002\uff08\u5bf9\u4e8emaster\u548cnode\u4e24\u79cd\u7528\u9014\uff0c\u914d\u7f6e\u6709\u6240\u4e0d\u540c\u3002\u4ee5\u4e0b\u662fmaster\u7684\u793a\u4f8b\uff09<\/p>\n
\n
- \n
kubernetes \u306e job \u3068\u3057\u3066 Pod \u3092\u5b9f\u884c<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\n
- \n
job.spec.template.spec.hostPID \u3092 true \u306b\u8a2d\u5b9a\u3059\u308b\u3053\u3068\u306b\u3088\u308a\u3001\u30b3\u30f3\u30c6\u30ca\u30db\u30b9\u30c8\u3068 PID namespace \u3092\u5171\u6709\u3059\u308b\u3000\uff08\u305d\u308c\u306b\u3088\u308a\u3001\u30db\u30b9\u30c8\u4e0a\u306e\u30d7\u30ed\u30bb\u30b9\u306e\u8a73\u7d30(ptrace)\u3092\u78ba\u8a8d\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u308b\uff09<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\n
- \n
nodeSelector \u3067\u5b9f\u884c\u5bfe\u8c61\u30ce\u30fc\u30c9\u3092\u9078\u629e\u3059\u308b<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\n
- \n
toleration \u3092\u7528\u3044\u3066 master \u30ce\u30fc\u30c9\u3067\u3082\u7a3c\u50cd\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\n
- \n
aquasec\/kube-bench:latest\u3000\u30a4\u30e1\u30fc\u30b8\u3092\u5229\u7528\u3059\u308b<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\n
- \n
command \u306b kube-bench \u3092\u6307\u5b9a\u3000\uff08\u5f15\u6570\u306b node\/master \u3092\u6307\u5b9a\u3059\u308b\uff09<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\u30b3\u30f3\u30c6\u30ca\u30db\u30b9\u30c8\u4e0a\u306e kubernetes \u95a2\u9023\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9\u3092 hostPath \u3067\u30b3\u30f3\u30c6\u30ca\u5185\u306b ReadOnly \u3067\u30de\u30a6\u30f3\u30c8\u3057\u3001\u78ba\u8a8d\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b<\/ul>\n
\u7531\u4e8e\u73af\u5883\uff08Kubernetes v1.20.1\uff09\u5df2\u7ecf\u8d85\u51fakube-bench\u7684\u652f\u6301\u7248\u672c\u8303\u56f4\uff0c\u56e0\u6b64\u8fdb\u884c\u4e86kube-bench\u7684\u7248\u672c\u6307\u5b9a\uff081.18\uff09\u3002\u4fee\u6b63\u7ec6\u8282\u5982\u4e0b\u6240\u793a\uff08\u8bf7\u53c2\u8003#\u540e\u9762\u7684\u6ce8\u91ca\u90e8\u5206\uff09\u3002<\/p>\n
---<\/span>\r\napiVersion<\/span>:<\/span> batch\/v1<\/span>\r\nkind<\/span>:<\/span> Job<\/span>\r\nmetadata<\/span>:<\/span>\r\n name<\/span>:<\/span> kube-bench-master<\/span>\r\nspec<\/span>:<\/span>\r\n template<\/span>:<\/span>\r\n spec<\/span>:<\/span>\r\n hostPID<\/span>:<\/span> true<\/span>\r\n nodeSelector<\/span>:<\/span>\r\n node-role.kubernetes.io\/master<\/span>:<\/span> \"<\/span>\"<\/span>\r\n tolerations<\/span>:<\/span>\r\n -<\/span> key<\/span>:<\/span> node-role.kubernetes.io\/master<\/span>\r\n operator<\/span>:<\/span> Exists<\/span>\r\n effect<\/span>:<\/span> NoSchedule<\/span>\r\n containers<\/span>:<\/span>\r\n -<\/span> name<\/span>:<\/span> kube-bench<\/span>\r\n image<\/span>:<\/span> aquasec\/kube-bench:latest<\/span>\r\n# command: [\"kube-bench\", \"master\"] # \u5143\u306e command \u90e8\u5206\u3092\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8<\/span>\r\n command<\/span>:<\/span> [<\/span>\"<\/span>kube-bench\"<\/span>]<\/span> # command \u306f kube-bench \u306e\u307f\u306b\u5909\u66f4<\/span>\r\n args<\/span>:<\/span> [<\/span>\"<\/span>--version=1.18\"<\/span>]<\/span> # \u5f15\u6570\u306b --version=1.18 \u3092\u8ffd\u52a0<\/span>\r\n volumeMounts<\/span>:<\/span>\r\n\u2026\u7565<\/span>\r\n<\/code><\/pre>\nkube-bench\u6267\u884c\u793a\u4f8b<\/h1>\n
\u6267\u884c\u8d77\u6765\u5e76\u4e0d\u96be\uff0c\u53ea\u9700\u8981\u5e94\u7528yaml\u6587\u4ef6\u3002
\n\u5c06\u4f1a\u521b\u5efa\u4e00\u4e2a\u4f5c\u4e1a(job)\u5e76\u5728Pod\u4e2d\u6267\u884c\u5904\u7406\u3002\uff08*\u4e0b\u9762\u7684job.yaml\u6587\u4ef6\u662f\u5728\u4e0a\u8ff0\u90e8\u5206\u57fa\u4e8ejob-master.yaml\u8fdb\u884c\u4fee\u6539\u7684\u6587\u4ef6\u3002\uff09<\/p>\n#<\/span> kubectl apply -f<\/span> job.yaml\r\njob.batch\/kube-bench-master created\r\n\r\n<\/span>#<\/span> kubectl get jobs<\/span> -o<\/span> wide\r\nNAME COMPLETIONS DURATION AGE CONTAINERS IMAGES SELECTOR\r\nkube-bench-master 1\/1 4s 5s kube-bench aquasec\/kube-bench:latest controller-uid=fe19f9fe-e752-487f-bf5f-fe7f2b42d7c4\r\n\r\n<\/span>#<\/span> kubectl get pods -o<\/span> wide\r\nNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\r\n<\/span>kube-bench-master-zr44r 0\/1 Completed 0 9s 10.200.163.35 k8sctl0 <none><\/span> <none>\r\n<\/code><\/pre>\n\u9700\u8981\u6ce8\u610f\u7684\u662f\u6267\u884c\u8282\u70b9\u3002
\n\u5728\u4e0a\u9762\u7684\u4f8b\u5b50\u4e2d\uff0c\u5b83\u662f\u5728 k8sctl0 \u4e0a\u6267\u884c\u7684\u3002\uff08\u7531\u4e8e\u53ea\u6709\u4e00\u4e2a\u63a7\u5236\u5e73\u9762\uff0c\u6240\u4ee5\u5f53\u7136\u662f\u8fd9\u6837\uff09
\n\u5982\u679c\u6709\u591a\u4e2a\u8282\u70b9\uff0c\u5219\u53d6\u51b3\u4e8e kube-scheduler \u7684\u9009\u62e9\u6765\u786e\u5b9a\u5728\u54ea\u4e2a\u8282\u70b9\u4e0a\u6267\u884c\u3002
\n\u5982\u679c\u4f60\u8ba4\u4e3a\u5df2\u7ecf\u4fee\u6539\u4e86\u7279\u5b9a\u8282\u70b9\u7684\u8bbe\u7f6e\u4f46\u68c0\u67e5\u7ed3\u679c\u6ca1\u6709\u53d8\u6210 [PASS]\uff0c\u90a3\u53ef\u80fd\u662f\u88ab\u5206\u914d\u7ed9\u4e86\u5176\u4ed6\u8282\u70b9\u8fdb\u884c\u68c0\u67e5\u3002\u662f\u7684\uff0c\u6211\u81ea\u5df1\u6709\u8fc7\u8fd9\u6837\u7684\u7ecf\u5386\u3002<\/p>\n\u60a8\u53ef\u4ee5\u5728 Pod \u7684\u65e5\u5fd7\u4e2d\u67e5\u770b\u6267\u884c\u7ed3\u679c\u3002<\/p>\n
#<\/span> kubectl logs kube-bench-master-zr44r\r\n\r\n[INFO] 1 Master Node Security Configuration\r\n[INFO] 1.1 Master Node Configuration Files\r\n[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)\r\n\r\n<\/span>...\r\n<\/span>\r\n[WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)\r\n[WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)\r\n[PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)\r\n[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)\r\n[PASS] 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)\r\n\r\n<\/span>...\r\n<\/span>\r\n1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\r\nfrom the below command:\r\nps -ef | grep etcd\r\nRun the below command (based on the etcd data directory found above).\r\nFor example, chown etcd:etcd \/var\/lib\/etcd\r\n\r\n<\/span>...\r\n<\/span>\r\n== Summary master ==\r\n45 checks PASS\r\n10 checks FAIL\r\n10 checks WARN\r\n0 checks INFO\r\n\r\n== Summary total ==\r\n45 checks PASS\r\n10 checks FAIL\r\n10 checks WARN\r\n0 checks INFO\r\n\r\n<\/span><\/code><\/pre>\n\u5bf9\u4e8e\u6bcf\u4e2a\u90e8\u5206\u7684\u9879\u76ee\uff0c\u5c06\u4f1a\u663e\u793a[PASS]\u3001[WARN]\u3001[FAIL]\u3002
\n\u5c3d\u7ba1\u793a\u4f8b\u4e2d\u6ca1\u6709\u63d0\u53ca\uff0c\u4f46\u5df2\u5bf91\u81f35\u4e2a\u90e8\u5206\u8fdb\u884c\u4e86\u68c0\u67e5\u3002<\/p>\n\u6b64\u5916\uff0c\u5bf9\u4e8e\u88ab\u6807\u8bb0\u4e3a\u201c\u624b\u52a8\u201d\u7684\u9879\u76ee\uff0c\u5982\u679c\u80fd\u591f\u786e\u8ba4\u5219\u6807\u8bb0\u4e3a[\u901a\u8fc7]\uff0c\u5426\u5219\u6807\u8bb0\u4e3a[\u8b66\u544a]\uff0c\u5982\u679c\u6807\u8bb0\u4e3a[\u8b66\u544a]\uff0c\u5219\u9700\u8981\u81ea\u884c\u786e\u8ba4\u3002
\n\u4f8b\u5982\uff0c\u57281.1.9\u7248\u672c\u4e2d\u7684CNI\u76f8\u5173\u6587\u4ef6\u6743\u9650\uff0c\u6211\u4eec\u7684\u73af\u5883\u662f\u4f7f\u7528Calico\uff0c\u5728\/etc\/cni\/net.d\/\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\u6743\u9650\u6bd4644\u66f4\u4e25\u683c\uff0c\u4f46\u4f3c\u4e4e\u65e0\u6cd5\u8bfb\u53d6\u3002<\/p>\n\u4f5c\u4e3a\u6ce8\u610f\u4e8b\u9879\uff0c5.\u6761\u6b3e\u4e2d\u5305\u62ec\u4e86\u5bf9 RBAC\u3001Pod \u5b89\u5168\u7b56\u7565\u3001\u7f51\u7edc\u7b56\u7565\u3001\u5bc6\u94a5\u7b49\u7684\u89c4\u5b9a\u3002
\n\u6240\u6709\u8fd9\u4e9b\u89c4\u5b9a\u90fd\u8981\u6c42\u5c06 RBAC \u8bbe\u5b9a\u4e3a\u6700\u4f4e\u5fc5\u8981\u6743\u9650\u3002
\n\u7531\u4e8e\u8fd9\u4e9b\u5185\u5bb9\u4e0d\u80fd\u81ea\u52a8\u8bc6\u522b\uff0c\u6240\u4ee5\u51e0\u4e4e\u5168\u90e8\u90fd\u88ab\u6807\u6ce8\u4e3a[\u8b66\u544a]\u3002
\n\u8fd9\u610f\u5473\u7740\u6700\u7ec8\u6211\u4eec\u8fd8\u662f\u9700\u8981\u81ea\u884c\u59a5\u5584\u7ba1\u7406\u3002<\/p>\n\u5bf9\u4e8e[\u8b66\u544a]\u548c[\u5931\u8d25]\u7684\u6848\u4f8b\uff0c\u63a5\u4e0b\u6765\u4f1a\u63d0\u4f9b\u7b80\u5355\u7684\u89e3\u51b3\u65b9\u6cd5\u3002
\n\u57281.1.12\u7684\u4f8b\u5b50\u4e2d\uff0c\u5efa\u8bae\u5c06etcd\u7684–data-dir\u7684\u6240\u6709\u8005\u548c\u7ec4\u8bbe\u7f6e\u4e3aetcd:etcd\u3002
\n\u7ecf\u8fc7\u786e\u8ba4\uff0c\u53d1\u73b0\u6240\u6709\u8005\u548c\u7ec4\u88ab\u8bbe\u7f6e\u4e3aroot\u3002<\/p>\n#<\/span> ps -ef<\/span> | grep <\/span>etcd | grep <\/span>data-dir\r\nroot 1378 1313 1 00:48 ? 00:06:09 etcd --advertise-client-urls=https:\/\/192.168.199.200:2379 --cert-file=\/etc\/kubernetes\/pki\/etcd\/server.crt --client-cert-auth=true --data-dir=\/var\/lib\/etcd --initial-advertise-peer-urls=https:\/\/192.168.199.200:2380 --initial-cluster=k8sctl0=https:\/\/192.168.199.200:2380 --key-file=\/etc\/kubernetes\/pki\/etcd\/server.key --listen-client-urls=https:\/\/127.0.0.1:2379,https:\/\/192.168.199.200:2379 --listen-metrics-urls=http:\/\/127.0.0.1:2381 --listen-peer-urls=https:\/\/192.168.199.200:2380 --name=k8sctl0 --peer-cert-file=\/etc\/kubernetes\/pki\/etcd\/peer.crt --peer-client-cert-auth=true --peer-key-file=\/etc\/kubernetes\/pki\/etcd\/peer.key --peer-trusted-ca-file=\/etc\/kubernetes\/pki\/etcd\/ca.crt --snapshot-count=10000 --trusted-ca-file=\/etc\/kubernetes\/pki\/etcd\/ca.crt\r\n\r\n<\/span>#<\/span> ls<\/span> -ld<\/span> \/var\/lib\/etcd\r\ndrwx------ 3 root root 4096 Feb 11 00:48 \/var\/lib\/etcd\r\n\r\n<\/span><\/code><\/pre>\n\u6211\u8ba4\u4e3a\u8be5\u6587\u4e2d\u7684\u5e94\u5bf9\u65b9\u6cd5\u76f8\u5bf9\u6613\u61c2\u3002
\n\u5982\u679c\u4f60\u5bf9\u5185\u5bb9\u4e0d\u7406\u89e3\u6216\u8005\u60f3\u8981\u4e86\u89e3\u66f4\u591a\u8be6\u60c5\uff0c\u53ef\u4ee5\u67e5\u770bCIS Kubernetes\u57fa\u51c6\u7684PDF\u6587\u4ef6\u4e2d\u7684\u76f8\u5e94\u90e8\u5206\uff0c\u5176\u4e2d\u5305\u542b\u66f4\u8be6\u7ec6\u7684\u63cf\u8ff0\u3001\u786e\u8ba4\u65b9\u6cd5\u4ee5\u53ca\u76f8\u5173\u53c2\u8003\u4fe1\u606f\u7684\u94fe\u63a5\u3002<\/p>\n\u6839\u636e\u8fd9\u4e9b\u4fe1\u606f\uff0c\u901a\u8fc7\u8fdb\u884c\u786c\u5316\u8bbe\u7f6e\uff0c\u53ef\u4ee5\u589e\u5f3a\u5b89\u5168\u6027\u3002<\/p>\n
\u6ce8\u610f\u4e8b\u9879\u662f\uff0c\u5982\u679c\u8fdb\u884c\u4e86\u76f8\u5173\u7684\u8bbe\u7f6e\uff0c\u65e0\u6cd5\u4fdd\u8bc1\u5176\u80fd\u591f\u6b63\u786e\u8fd0\u884c\u3002
\n\u4f8b\u5982\uff0c\u5728\u8282\u70b9\u7aef\u8fdb\u884c\u68c0\u67e5\u65f6\uff0c\u4f1a\u5efa\u8bae\u5c06–protect-kernel-defaults\u8bbe\u7f6e\u4e3atrue\u3002
\n\u7136\u800c\uff0c\u5982\u679c\u91c7\u53d6\u4e86\u8fd9\u6837\u7684\u63aa\u65bd\uff0ckubelet\u5c06\u65e0\u6cd5\u8fd0\u884c\uff0c\u5e76\u4e14\u9700\u8981\u8c03\u6574\u5185\u6838\u53c2\u6570\u3002
\n\u5df2\u7ecf\u6709\u4eba\u603b\u7ed3\u4e86\u8fd9\u6837\u7684\u89e3\u51b3\u65b9\u6848\u3002<\/p>\n\u5728\u8bbe\u7f6ekubelet\u7684–protect-kernel-defaults\u4e3atrue\u65f6\u9700\u8981\u8fdb\u884c\u7684\u5185\u6838\u8c03\u4f18\u3002<\/p>\n
\u9700\u8981\u8c03\u6574\u5185\u6838\u53c2\u6570\u4ee5\u4f7fkubelet\u7684–protect-kernel-defaults\u53c2\u6570\u4e3atrue\u3002<\/p>\n
\u6211\u8ba4\u4e3a\uff0c\u4ec5\u4ec5\u6309\u7167\u6307\u5357\u7b80\u5355\u8bbe\u7f6e\u5e76\u4e0d\u610f\u5473\u7740\u8fd9\u5c31\u53ef\u4ee5\u4e86\u3002\u4f46\u662f\uff0c\u6709\u4e86\u786c\u5316\u6307\u5357\u548c\u5de5\u5177\uff0c\u5bf9\u5e94\u7b56\u7565\u7684\u590d\u6742\u5ea6\u5c06\u5b8c\u5168\u4e0d\u540c\u3002<\/p>\n
\u7ed3\u675f<\/h1>\n
\u7531CIS\u7f16\u5236\u7684\u786c\u5316\u6307\u5357\u4ee5\u53ca\u57fa\u4e8e\u8be5\u6307\u5357\u7684\u8bca\u65ad\u5de5\u5177kube-bench\u7684\u5b58\u5728\uff0c\u6211\u8ba4\u4e3a\u964d\u4f4e\u4e86Kubernetes\u7684\u786c\u5316\u96be\u5ea6\u3002\u7136\u800c\uff0c\u9700\u8981\u8bb0\u4f4f\u7684\u662f\uff0c\u786c\u5316\u53ea\u662f\u589e\u5f3a\u5b89\u5168\u6027\u7684\u624b\u6bb5\u4e4b\u4e00\uff0c\u800c\u4e0d\u662f\u53ea\u8981\u8fdb\u884c\u786c\u5316\u5c31\u53ef\u4ee5\u4e86\uff0c\u56e0\u6b64\u5728\u4f7f\u7528\u548c\u8fd0\u8425\u4e2d\u9700\u8981\u6ce8\u610f\u3002<\/p>\n
\n\u53c2\u8003\uff09\u25a0 \u4fe1\u606f\u5171\u4eab\u4e0e\u5b89\u5168\u4e2d\u5fc3
\nhttps:\/\/www.cisecurity.org\/<\/p>\n\u25a0 kube-bench
\nhttps:\/\/github.com\/aquasecurity\/kube-bench<\/p>\n\u25a0 CIS \u57fa\u51c6\uff08GKE \/ anthos\uff09
\n\u8bf7\u8bbf\u95ee\u4ee5\u4e0b\u94fe\u63a5\u67e5\u9605\u76f8\u5173\u6587\u4ef6\uff1a
\n– GKE\uff1ahttps:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/cis-benchmarks?hl=ja
\n– Anthos\uff1ahttps:\/\/cloud.google.com\/anthos\/gke\/docs\/on-prem\/1.5\/concepts\/cis-benchmarks?hl=ja<\/p>\n\u25a0 CIS\u57fa\u51c6\u6d4b\u8bd5\uff08AKS\uff09
\nhttps:\/\/docs.microsoft.com\/zh-cn\/azure\/aks\/security-hardened-vm-host-image<\/p>\n\u25a0 CIS\u57fa\u51c6\uff08IKS\uff09
\nhttps:\/\/cloud.ibm.com\/docs\/containers?topic=containers-cis-benchmark<\/p>\n
\n","protected":false},"excerpt":{"rendered":"\u9996\u5148 \u6211\u5f00\u59cb\u5b66\u4e60\u6709\u5173Kubernetes\u5b89\u5168\u6027\u7684\u5185\u5bb9\uff0c\u4e86\u89e3\u5230\u4e86CIS\u57fa\u51c6\u6d4b\u8bd5\u3002 \u8fd9\u662f\u7531\u4e92\u8054\u7f51\u5b89\u5168\u4e2d\u5fc3\u53d1\u5e03\u7684\u5404\u79cd […]<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-36133","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"\n
\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5Kubernetes\u7684\u786c\u5316\u60c5\u51b5 - Blog - Silicon Cloud<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.silicloud.com\/zh\/blog\/\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5kubernetes\u7684\u786c\u5316\u60c5\u51b5\u3002\/\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5Kubernetes\u7684\u786c\u5316\u60c5\u51b5\" \/>\n<meta property=\"og:description\" content=\"\u9996\u5148 \u6211\u5f00\u59cb\u5b66\u4e60\u6709\u5173Kubernetes\u5b89\u5168\u6027\u7684\u5185\u5bb9\uff0c\u4e86\u89e3\u5230\u4e86CIS\u57fa\u51c6\u6d4b\u8bd5\u3002 \u8fd9\u662f\u7531\u4e92\u8054\u7f51\u5b89\u5168\u4e2d\u5fc3\u53d1\u5e03\u7684\u5404\u79cd […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.silicloud.com\/zh\/blog\/\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5kubernetes\u7684\u786c\u5316\u60c5\u51b5\u3002\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog - Silicon Cloud\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-06T13:15:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-04T10:26:33+00:00\" \/>\n<meta name=\"author\" content=\"\u6e05, \u626c\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"\u6e05, \u626c\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/\",\"url\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/\",\"name\":\"\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5Kubernetes\u7684\u786c\u5316\u60c5\u51b5 - Blog - Silicon Cloud\",\"isPartOf\":{\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#website\"},\"datePublished\":\"2024-01-06T13:15:15+00:00\",\"dateModified\":\"2024-05-04T10:26:33+00:00\",\"author\":{\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/cb5556d2501da73d864cac945e8d9461\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/www.silicloud.com\/zh\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5Kubernetes\u7684\u786c\u5316\u60c5\u51b5\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#website\",\"url\":\"https:\/\/www.silicloud.com\/zh\/blog\/\",\"name\":\"Blog - Silicon Cloud\",\"description\":\"\",\"inLanguage\":\"zh-Hans\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/cb5556d2501da73d864cac945e8d9461\",\"name\":\"\u6e05, \u626c\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/32a4239de8ff29adace466261d309424a1e5fe9f7e3036bf89fe03f2e3dbe717?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/32a4239de8ff29adace466261d309424a1e5fe9f7e3036bf89fe03f2e3dbe717?s=96&d=mm&r=g\",\"caption\":\"\u6e05, \u626c\"},\"url\":\"https:\/\/www.silicloud.com\/zh\/blog\/author\/qingyang\/\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/#local-main-organization-logo\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"Blog - Silicon Cloud\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5Kubernetes\u7684\u786c\u5316\u60c5\u51b5 - Blog - Silicon Cloud","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.silicloud.com\/zh\/blog\/\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5kubernetes\u7684\u786c\u5316\u60c5\u51b5\u3002\/","og_locale":"zh_CN","og_type":"article","og_title":"\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5Kubernetes\u7684\u786c\u5316\u60c5\u51b5","og_description":"\u9996\u5148 \u6211\u5f00\u59cb\u5b66\u4e60\u6709\u5173Kubernetes\u5b89\u5168\u6027\u7684\u5185\u5bb9\uff0c\u4e86\u89e3\u5230\u4e86CIS\u57fa\u51c6\u6d4b\u8bd5\u3002 \u8fd9\u662f\u7531\u4e92\u8054\u7f51\u5b89\u5168\u4e2d\u5fc3\u53d1\u5e03\u7684\u5404\u79cd […]","og_url":"https:\/\/www.silicloud.com\/zh\/blog\/\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5kubernetes\u7684\u786c\u5316\u60c5\u51b5\u3002\/","og_site_name":"Blog - Silicon Cloud","article_published_time":"2024-01-06T13:15:15+00:00","article_modified_time":"2024-05-04T10:26:33+00:00","author":"\u6e05, \u626c","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"\u6e05, \u626c","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"3 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/","url":"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/","name":"\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5Kubernetes\u7684\u786c\u5316\u60c5\u51b5 - Blog - Silicon Cloud","isPartOf":{"@id":"https:\/\/www.silicloud.com\/zh\/blog\/#website"},"datePublished":"2024-01-06T13:15:15+00:00","dateModified":"2024-05-04T10:26:33+00:00","author":{"@id":"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/cb5556d2501da73d864cac945e8d9461"},"breadcrumb":{"@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/www.silicloud.com\/zh\/blog\/"},{"@type":"ListItem","position":2,"name":"\u4f7f\u7528kube-bench\u5de5\u5177\u68c0\u67e5Kubernetes\u7684\u786c\u5316\u60c5\u51b5"}]},{"@type":"WebSite","@id":"https:\/\/www.silicloud.com\/zh\/blog\/#website","url":"https:\/\/www.silicloud.com\/zh\/blog\/","name":"Blog - Silicon Cloud","description":"","inLanguage":"zh-Hans"},{"@type":"Person","@id":"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/cb5556d2501da73d864cac945e8d9461","name":"\u6e05, \u626c","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/32a4239de8ff29adace466261d309424a1e5fe9f7e3036bf89fe03f2e3dbe717?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/32a4239de8ff29adace466261d309424a1e5fe9f7e3036bf89fe03f2e3dbe717?s=96&d=mm&r=g","caption":"\u6e05, \u626c"},"url":"https:\/\/www.silicloud.com\/zh\/blog\/author\/qingyang\/"},{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e4%bd%bf%e7%94%a8kube-bench%e5%b7%a5%e5%85%b7%e6%a3%80%e6%9f%a5kubernetes%e7%9a%84%e7%a1%ac%e5%8c%96%e6%83%85%e5%86%b5%e3%80%82\/#local-main-organization-logo","url":"","contentUrl":"","caption":"Blog - Silicon Cloud"}]}},"_links":{"self":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts\/36133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/comments?post=36133"}],"version-history":[{"count":2,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts\/36133\/revisions"}],"predecessor-version":[{"id":99957,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts\/36133\/revisions\/99957"}],"wp:attachment":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/media?parent=36133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/categories?post=36133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/tags?post=36133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}